If you’re running an exchange server (or any other type of mail server) on-premise, you should consider putting your spam filtering gateway outside your network, either at a co-location (if it’s a physical server), or, if it’s a software package, on a VPS provider (Virtual Private Server).
The reason is simple: by doing this, the spam filter is basically acting as an edge server and most spam filters are built on top of conventional mail transport agent platforms most of these MTA’s (Message Transfer Agents) can act as a spooler should you have a network outage. When shopping for a spam filter or email security solution, it is therefore important to ask the vendor if the solution acts like a spooler in case of a network outage.
If your network goes down for a few hours (in this day and age, even extreme weather events can cause an outage) or you have some sort of failure with your primary MTA, you want to have something “mailbagging” emails for you while you work on the problem or as you wait the situation out (if it is outside your control).
In principle, if an MTA tried to transmit mail to your server and your server didn’t respond, this WOULD be considered a temporary failure and most MTAs should retry every few minutes up to several days to send the message to you. But you can’t necessarily rely on that assumption. High volume sites for instance, may have shorter retry policies [like the big free Email providers] due to the sheer volumes of outgoing Email they have to transmit each day. Some Internet service providers may also have shorter retry schedules.
So it’s usually a good policy to keep your edge MTA (in most cases, a spam filter) out on a different network. If you’re using multiple filters, you could have one at your primary site and one at a colocation site.
Cloud-based spam filtering services
This is where Cloud-based spam filtering services can be useful to you. Instead of using an on-premise spam filter, the filtering service provider already has his infrastructure “out there” and most can provide some retention time on their delivery queues, so they act as mail spoolers as well as mail filters.
However if you have privacy or compliance concerns, or perhaps you want to retain more control over your environment, it’s fairly trivial nowadays to setup a physical or virtual server at a colocation or VPS provider. In fact, in some cases it’s so cheap to rent a virtual machine that there is really no excuse not to! You can probably do it cheaper yourself with a VPS provider and a good spam filtering package than going to a cloud service.
You can go with the big names like Amazon, Azure or Rackspace for your hosted virtual machines, however if you search for “VPS providers”, you will find hundreds of companies offering Linux and Windows-based VMs literally for peanuts with varying capacity and SLAs. So really if you’re using a spam filter, like a good guard dog, keep it outside.